paskia 0.8.1__py3-none-any.whl → 0.9.1__py3-none-any.whl

paskia/migrate/__init__.py

@@ -11,13 +11,28 @@ Or via the CLI entry point (if installed):
     paskia-migrate --sql sqlite+aiosqlite:///paskia.sqlite --json paskia.jsonl
 """
 
+import argparse
 import asyncio
-from datetime import datetime, timezone
+import re
+from datetime import UTC, datetime
 from uuid import UUID
 
 import base64url
+import uuid7
+from sqlalchemy import select
 
 from paskia.authsession import EXPIRES
+from paskia.db.jsonl import JsonlStore
+from paskia.db.structs import (
+    DB,
+    Credential,
+    Org,
+    Permission,
+    ResetToken,
+    Role,
+    Session,
+    User,
+)
 
 from .sql import (
     DB as SQLDB,
@@ -47,30 +62,14 @@ async def migrate_from_sql(
         sql_db_path: SQLAlchemy connection string for the source SQL database
         json_db_path: Path for the destination JSONL file
     """
-    # Import here to avoid circular imports and to not require JSON db at import time
-    import re
-
-    import uuid7
-    from sqlalchemy import select
-
-    from paskia.db.operations import DB as JSONDB
-    from paskia.db.structs import (
-        _CredentialData,
-        _OrgData,
-        _PermissionData,
-        _ResetTokenData,
-        _RoleData,
-        _SessionData,
-        _UserData,
-    )
-
     # Initialize source SQL database
     sql_db = SQLDB(sql_db_path)
     await sql_db.init_db()
 
     # Initialize destination JSON database (fresh, don't load existing)
-    json_db = JSONDB(json_db_path)
-    # Don't call json_db.load() - we want a fresh database, not to load existing
+    db = DB()
+    store = JsonlStore(db, json_db_path)
+    db._store = store
 
     print(f"Migrating from {sql_db_path} to {json_db_path}...")
 
@@ -90,11 +89,13 @@ async def migrate_from_sql(
     # Migrate permissions with UUID keys and scope field
     # Always create exactly one common auth:org:admin permission for all org admin needs
     org_admin_perm_uuid: UUID = uuid7.create()
-    json_db._data.permissions[org_admin_perm_uuid] = _PermissionData(
+    org_admin_perm = Permission(
         scope="auth:org:admin",
         display_name="Org Admin",
         orgs={},
     )
+    org_admin_perm.uuid = org_admin_perm_uuid
+    db.permissions[org_admin_perm_uuid] = org_admin_perm
 
     # Mapping from old permission ID to new permission UUID
     perm_id_to_uuid: dict[str, UUID] = {}
@@ -113,11 +114,13 @@ async def migrate_from_sql(
 
         # Regular permission - create with UUID key
         perm_uuid: UUID = uuid7.create()
-        json_db._data.permissions[perm_uuid] = _PermissionData(
+        new_perm = Permission(
             scope=perm.id,  # Old ID becomes the scope
             display_name=perm.display_name,
             orgs={},
         )
+        new_perm.uuid = perm_uuid
+        db.permissions[perm_uuid] = new_perm
         perm_id_to_uuid[perm.id] = perm_uuid
     print(
         f"  Migrated {len(permissions)} permissions (with {len(org_admin_uuids)} org-specific admins consolidated to auth:org:admin)"
@@ -127,16 +130,16 @@ async def migrate_from_sql(
     orgs = await sql_db.list_organizations()
     for org in orgs:
         org_key: UUID = org.uuid
-        json_db._data.orgs[org_key] = _OrgData(
-            display_name=org.display_name,
-        )
+        new_org = Org(display_name=org.display_name)
+        new_org.uuid = org_key
+        db.orgs[org_key] = new_org
         # Update permissions to allow this org to grant them (by UUID)
         for old_perm_id in org.permissions:
             perm_uuid = perm_id_to_uuid.get(old_perm_id)
-            if perm_uuid and perm_uuid in json_db._data.permissions:
-                json_db._data.permissions[perm_uuid].orgs[org_key] = True
+            if perm_uuid and perm_uuid in db.permissions:
+                db.permissions[perm_uuid].orgs[org_key] = True
         # Ensure every org can grant auth:org:admin
-        json_db._data.permissions[org_admin_perm_uuid].orgs[org_key] = True
+        db.permissions[org_admin_perm_uuid].orgs[org_key] = True
     print(f"  Migrated {len(orgs)} organizations")
 
     # Migrate roles - convert old permission IDs to UUIDs
@@ -150,11 +153,13 @@ async def migrate_from_sql(
                 perm_uuid = perm_id_to_uuid.get(old_perm_id)
                 if perm_uuid:
                     new_permissions[perm_uuid] = True
-            json_db._data.roles[role_key] = _RoleData(
-                org=role.org_uuid,
+            new_role = Role(
+                org_uuid=role.org_uuid,
                 display_name=role.display_name,
                 permissions=new_permissions,
             )
+            new_role.uuid = role_key
+            db.roles[role_key] = new_role
             role_count += 1
     print(f"  Migrated {role_count} roles")
 
@@ -163,15 +168,17 @@ async def migrate_from_sql(
         result = await session.execute(select(UserModel))
         user_models = result.scalars().all()
         for um in user_models:
-            user = um.as_dataclass()
-            user_key: UUID = user.uuid
-            json_db._data.users[user_key] = _UserData(
-                display_name=user.display_name,
-                role=user.role_uuid,
-                created_at=user.created_at or datetime.now(timezone.utc),
-                last_seen=user.last_seen,
-                visits=user.visits,
+            legacy_user = um.as_dataclass()
+            user_key: UUID = legacy_user.uuid
+            new_user = User(
+                display_name=legacy_user.display_name,
+                role_uuid=legacy_user.role_uuid,
+                created_at=legacy_user.created_at or datetime.now(UTC),
+                last_seen=legacy_user.last_seen,
+                visits=legacy_user.visits,
             )
+            new_user.uuid = user_key
+            db.users[user_key] = new_user
         print(f"  Migrated {len(user_models)} users")
 
     # Migrate credentials
@@ -179,18 +186,20 @@ async def migrate_from_sql(
         result = await session.execute(select(CredentialModel))
         cred_models = result.scalars().all()
         for cm in cred_models:
-            cred = cm.as_dataclass()
-            cred_key: UUID = cred.uuid
-            json_db._data.credentials[cred_key] = _CredentialData(
-                credential_id=cred.credential_id,
-                user=cred.user_uuid,
-                aaguid=cred.aaguid,
-                public_key=cred.public_key,
-                sign_count=cred.sign_count,
-                created_at=cred.created_at,
-                last_used=cred.last_used,
-                last_verified=cred.last_verified,
+            legacy_cred = cm.as_dataclass()
+            cred_key: UUID = legacy_cred.uuid
+            new_cred = Credential(
+                credential_id=legacy_cred.credential_id,
+                user_uuid=legacy_cred.user_uuid,
+                aaguid=legacy_cred.aaguid,
+                public_key=legacy_cred.public_key,
+                sign_count=legacy_cred.sign_count,
+                created_at=legacy_cred.created_at,
+                last_used=legacy_cred.last_used,
+                last_verified=legacy_cred.last_verified,
             )
+            new_cred.uuid = cred_key
+            db.credentials[cred_key] = new_cred
         print(f"  Migrated {len(cred_models)} credentials")
 
     # Migrate sessions
@@ -207,9 +216,9 @@ async def migrate_from_sql(
             else:
                 # Already in new format or unknown - try to use as-is
                 session_key = base64url.enc(old_key[:12])
-            json_db._data.sessions[session_key] = _SessionData(
-                user=sess.user_uuid,
-                credential=sess.credential_uuid,
+            db.sessions[session_key] = Session(
+                user_uuid=sess.user_uuid,
+                credential_uuid=sess.credential_uuid,
                 host=sess.host,
                 ip=sess.ip,
                 user_agent=sess.user_agent,
@@ -231,26 +240,24 @@ async def migrate_from_sql(
             else:
                 # Already in new format or unknown - truncate to 9 bytes
                 token_key = old_key[:9]
-            json_db._data.reset_tokens[token_key] = _ResetTokenData(
-                user=token.user_uuid,
+            db.reset_tokens[token_key] = ResetToken(
+                user_uuid=token.user_uuid,
                 expiry=token.expiry,
                 token_type=token.token_type,
             )
         print(f"  Migrated {len(token_models)} reset tokens")
 
-    # Queue and flush all changes with actor "migrate"
-    json_db._current_actor = "migrate"
-    json_db._queue_change()
-    from paskia.db.jsonl import flush_changes
+    # Queue and flush all changes using the transaction mechanism
+    with db.transaction("migrate:sql"):
+        pass  # All data already added to _data, transaction commits on exit
 
-    await flush_changes(json_db.db_path, json_db._pending_changes)
+    await store.flush()
 
     print("Migration complete!")
 
 
 def main():
     """CLI entry point for migration."""
-    import argparse
 
     parser = argparse.ArgumentParser(
         description="Migrate Paskia database from SQL to JSON"

paskia/migrate/sql.py

@@ -9,7 +9,7 @@ DO NOT use this module for new code. Use paskia.db instead.
 
 from contextlib import asynccontextmanager
 from dataclasses import dataclass
-from datetime import datetime, timezone
+from datetime import UTC, datetime
 from uuid import UUID
 
 from sqlalchemy import (
@@ -25,31 +25,62 @@ from sqlalchemy.dialects.sqlite import BLOB
 from sqlalchemy.ext.asyncio import async_sessionmaker, create_async_engine
 from sqlalchemy.orm import DeclarativeBase, Mapped, mapped_column
 
-from paskia.db import (
-    Credential,
-    Org,
-    ResetToken,
-    Role,
-    User,
-)
 
+# Legacy User class for SQL schema (uses 'role_uuid' not 'role')
+@dataclass
+class _LegacyUser:
+    """User as stored in the old SQL schema with role_uuid field."""
 
-# Local Permission class for SQL schema (uses 'id' not 'uuid' + 'scope')
+    uuid: UUID
+    display_name: str
+    role_uuid: UUID
+    created_at: datetime | None = None
+    last_seen: datetime | None = None
+    visits: int = 0
+
+
+# Legacy Credential class for SQL schema (uses 'user_uuid' not 'user')
 @dataclass
-class SqlPermission:
-    """Permission as stored in the old SQL schema with id field."""
+class _LegacyCredential:
+    """Credential as stored in the old SQL schema with user_uuid field."""
 
-    id: str
+    uuid: UUID
+    credential_id: bytes
+    user_uuid: UUID
+    aaguid: UUID
+    public_key: bytes
+    sign_count: int
+    created_at: datetime
+    last_used: datetime | None = None
+    last_verified: datetime | None = None
+
+
+# Legacy Role class for SQL schema (uses 'org_uuid' not 'org')
+@dataclass
+class _LegacyRole:
+    """Role as stored in the old SQL schema with org_uuid field."""
+
+    uuid: UUID
+    org_uuid: UUID
     display_name: str
+    permissions: list[str] | None = None
 
 
-DB_PATH_DEFAULT = "sqlite+aiosqlite:///paskia.sqlite"
+# Legacy Org class for SQL schema (has mutable permissions/roles lists)
+@dataclass
+class _LegacyOrg:
+    """Org as stored in the old SQL schema with mutable permissions/roles."""
+
+    uuid: UUID
+    display_name: str
+    permissions: list[str] | None = None
+    roles: list[_LegacyRole] | None = None
 
 
-# Local Session class for SQL schema (uses 'renewed' not 'expiry')
+# Legacy Session class for SQL schema (uses 'key' as field, 'user_uuid', 'credential_uuid')
 @dataclass
-class _SqlSession:
-    """Session as stored in the old SQL schema with renewed timestamp."""
+class _LegacySession:
+    """Session as stored in the old SQL schema."""
 
     key: bytes
     user_uuid: UUID
@@ -60,12 +91,35 @@ class _SqlSession:
     renewed: datetime
 
 
+# Legacy ResetToken class for SQL schema (uses 'key' as field, 'user_uuid')
+@dataclass
+class _LegacyResetToken:
+    """ResetToken as stored in the old SQL schema."""
+
+    key: bytes
+    user_uuid: UUID
+    token_type: str
+    expiry: datetime
+
+
+# Local Permission class for SQL schema (uses 'id' not 'uuid' + 'scope')
+@dataclass
+class SqlPermission:
+    """Permission as stored in the old SQL schema with id field."""
+
+    id: str
+    display_name: str
+
+
+DB_PATH_DEFAULT = "sqlite+aiosqlite:///paskia.sqlite"
+
+
 def _normalize_dt(value: datetime | None) -> datetime | None:
     if value is None:
         return None
     if value.tzinfo is None:
-        return value.replace(tzinfo=timezone.utc)
-    return value.astimezone(timezone.utc)
+        return value.replace(tzinfo=UTC)
+    return value.astimezone(UTC)
 
 
 class Base(DeclarativeBase):
@@ -80,10 +134,13 @@ class OrgModel(Base):
 
     def as_dataclass(self):
         # Base Org without permissions/roles (filled by data accessors)
-        return Org(UUID(bytes=self.uuid), self.display_name)
+        return _LegacyOrg(
+            uuid=UUID(bytes=self.uuid),
+            display_name=self.display_name,
+        )
 
     @staticmethod
-    def from_dataclass(org: Org):
+    def from_dataclass(org: _LegacyOrg):
         return OrgModel(uuid=org.uuid.bytes, display_name=org.display_name)
 
 
@@ -98,14 +155,14 @@ class RoleModel(Base):
 
     def as_dataclass(self):
         # Base Role without permissions (filled by data accessors)
-        return Role(
+        return _LegacyRole(
             uuid=UUID(bytes=self.uuid),
             org_uuid=UUID(bytes=self.org_uuid),
             display_name=self.display_name,
         )
 
     @staticmethod
-    def from_dataclass(role: Role):
+    def from_dataclass(role: _LegacyRole):
         return RoleModel(
             uuid=role.uuid.bytes,
             org_uuid=role.org_uuid.bytes,
@@ -122,15 +179,15 @@ class UserModel(Base):
         LargeBinary(16), ForeignKey("roles.uuid", ondelete="CASCADE"), nullable=False
     )
     created_at: Mapped[datetime] = mapped_column(
-        DateTime(timezone=True), default=lambda: datetime.now(timezone.utc)
+        DateTime(timezone=True), default=lambda: datetime.now(UTC)
     )
     last_seen: Mapped[datetime | None] = mapped_column(
         DateTime(timezone=True), nullable=True
     )
     visits: Mapped[int] = mapped_column(Integer, nullable=False, default=0)
 
-    def as_dataclass(self) -> User:
-        return User(
+    def as_dataclass(self) -> "_LegacyUser":
+        return _LegacyUser(
             uuid=UUID(bytes=self.uuid),
             display_name=self.display_name,
             role_uuid=UUID(bytes=self.role_uuid),
@@ -140,12 +197,12 @@ class UserModel(Base):
         )
 
     @staticmethod
-    def from_dataclass(user: User):
+    def from_dataclass(user: "_LegacyUser"):
         return UserModel(
             uuid=user.uuid.bytes,
             display_name=user.display_name,
             role_uuid=user.role_uuid.bytes,
-            created_at=user.created_at or datetime.now(timezone.utc),
+            created_at=user.created_at or datetime.now(UTC),
             last_seen=user.last_seen,
             visits=user.visits,
         )
@@ -165,7 +222,7 @@ class CredentialModel(Base):
     public_key: Mapped[bytes] = mapped_column(BLOB, nullable=False)
     sign_count: Mapped[int] = mapped_column(Integer, nullable=False)
     created_at: Mapped[datetime] = mapped_column(
-        DateTime(timezone=True), default=lambda: datetime.now(timezone.utc)
+        DateTime(timezone=True), default=lambda: datetime.now(UTC)
     )
     last_used: Mapped[datetime | None] = mapped_column(
         DateTime(timezone=True), nullable=True
@@ -175,7 +232,7 @@ class CredentialModel(Base):
     )
 
     def as_dataclass(self):
-        return Credential(
+        return _LegacyCredential(
             uuid=UUID(bytes=self.uuid),
             credential_id=self.credential_id,
             user_uuid=UUID(bytes=self.user_uuid),
@@ -205,12 +262,12 @@ class SessionModel(Base):
     user_agent: Mapped[str] = mapped_column(String(512), nullable=False)
     renewed: Mapped[datetime] = mapped_column(
         DateTime(timezone=True),
-        default=lambda: datetime.now(timezone.utc),
+        default=lambda: datetime.now(UTC),
         nullable=False,
     )
 
     def as_dataclass(self):
-        return _SqlSession(
+        return _LegacySession(
             key=self.key,
             user_uuid=UUID(bytes=self.user_uuid),
             credential_uuid=UUID(bytes=self.credential_uuid),
@@ -221,7 +278,7 @@ class SessionModel(Base):
         )
 
     @staticmethod
-    def from_dataclass(session: _SqlSession):
+    def from_dataclass(session: _LegacySession):
         return SessionModel(
             key=session.key,
             user_uuid=session.user_uuid.bytes,
@@ -243,8 +300,8 @@ class ResetTokenModel(Base):
     token_type: Mapped[str] = mapped_column(String, nullable=False)
     expiry: Mapped[datetime] = mapped_column(DateTime(timezone=True), nullable=False)
 
-    def as_dataclass(self) -> ResetToken:
-        return ResetToken(
+    def as_dataclass(self) -> _LegacyResetToken:
+        return _LegacyResetToken(
             key=self.key,
             user_uuid=UUID(bytes=self.user_uuid),
             token_type=self.token_type,
@@ -338,7 +395,7 @@ class DB:
             result = await session.execute(select(PermissionModel))
             return [p.as_dataclass() for p in result.scalars().all()]
 
-    async def list_organizations(self) -> list[Org]:
+    async def list_organizations(self) -> list[_LegacyOrg]:
         async with self.session() as session:
             # Load all orgs
             orgs_result = await session.execute(select(OrgModel))
@@ -365,13 +422,13 @@ class DB:
                 perms_by_role.setdefault(rp.role_uuid, []).append(rp.permission_id)
 
             # Build org dataclasses with roles and permission IDs
-            roles_by_org: dict[bytes, list[Role]] = {}
+            roles_by_org: dict[bytes, list[_LegacyRole]] = {}
             for rm in role_models:
                 r_dc = rm.as_dataclass()
                 r_dc.permissions = perms_by_role.get(rm.uuid, [])
                 roles_by_org.setdefault(rm.org_uuid, []).append(r_dc)
 
-            orgs: list[Org] = []
+            orgs: list[_LegacyOrg] = []
             for om in org_models:
                 o_dc = om.as_dataclass()
                 o_dc.permissions = perms_by_org.get(om.uuid, [])

paskia/remoteauth.py

@@ -19,12 +19,12 @@ The first 3 words of the token serve as the pairing code for manual entry.
 
 import asyncio
 import logging
+from collections.abc import Callable
 from dataclasses import dataclass
-from datetime import datetime, timedelta, timezone
-from typing import Callable
+from datetime import UTC, datetime, timedelta
 from uuid import UUID
 
-from paskia.util import passphrase
+from paskia.util import passphrase, pow
 
 # Remote auth requests expire after this duration
 REMOTE_AUTH_LIFETIME = timedelta(minutes=5)
@@ -94,7 +94,7 @@ class RemoteAuthManager:
 
     async def _cleanup_expired(self):
         """Remove expired requests and notify waiting clients."""
-        now = datetime.now(timezone.utc)
+        now = datetime.now(UTC)
         expired_keys = []
         async with self._lock:
             for key, req in self._requests.items():
@@ -123,7 +123,7 @@ class RemoteAuthManager:
         Returns:
             (code, expiry) - The 3-word passphrase code and expiration time
         """
-        now = datetime.now(timezone.utc)
+        now = datetime.now(UTC)
         expiry = now + REMOTE_AUTH_LIFETIME
 
         async with self._lock:
@@ -160,7 +160,7 @@ class RemoteAuthManager:
             req = self._requests.get(normalized)
             if req is None:
                 return None
-            now = datetime.now(timezone.utc)
+            now = datetime.now(UTC)
             if now > req.created_at + REMOTE_AUTH_LIFETIME:
                 # Expired
                 del self._requests[normalized]
@@ -319,7 +319,6 @@ class RemoteAuthManager:
         Returns:
             PoW work units (pow.NORMAL or pow.HARD)
         """
-        from paskia.util import pow
 
         count = self.get_connection_count()
         return pow.HARD if count >= 10 else pow.NORMAL
@@ -332,7 +331,7 @@ class RemoteAuthManager:
             req = self._requests.get(token)
             if req is None:
                 return None
-            now = datetime.now(timezone.utc)
+            now = datetime.now(UTC)
             if now > req.created_at + REMOTE_AUTH_LIFETIME:
                 del self._requests[token]
                 return None

paskia/sansio.py

@@ -8,11 +8,9 @@ This module provides a unified interface for WebAuthn operations including:
 """
 
 import json
-from datetime import datetime, timezone
 from urllib.parse import urlparse
 from uuid import UUID
 
-import uuid7
 from webauthn import (
     generate_authentication_options,
     generate_registration_options,
@@ -176,14 +174,12 @@ class Passkey:
             expected_origin=origin,
             expected_rp_id=self.rp_id,
         )
-        return Credential(
-            uuid=uuid7.create(),
+        return Credential.create(
             credential_id=credential.raw_id,
-            user_uuid=user_uuid,
+            user=user_uuid,
             aaguid=UUID(registration.aaguid),
             public_key=registration.credential_public_key,
             sign_count=registration.sign_count,
-            created_at=datetime.now(timezone.utc),
         )
 
     ### Authentication Methods ###
@@ -234,8 +230,11 @@ class Passkey:
         Args:
             credential: The authentication credential response from the client
             expected_challenge: The earlier generated challenge bytes
-            stored_cred: The server stored credential record (modified by this function)
+            stored_cred: The server stored credential record (NOT modified)
             origin: The origin URL (required, must be pre-validated)
+
+        Returns:
+            VerifiedAuthentication with new_sign_count and user_verified status
         """
         # Verify the authentication response
         verification = verify_authentication_response(
@@ -246,11 +245,6 @@ class Passkey:
             credential_public_key=stored_cred.public_key,
             credential_current_sign_count=stored_cred.sign_count,
         )
-        stored_cred.sign_count = verification.new_sign_count
-        now = datetime.now(timezone.utc)
-        stored_cred.last_used = now
-        if verification.user_verified:
-            stored_cred.last_verified = now
         return verification
 
 

{paskia-0.8.1.dist-info → paskia-0.9.1.dist-info}/METADATA

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: paskia
-Version: 0.8.1
+Version: 0.9.1
 Summary: Passkey Auth made easy: all sites and APIs can be guarded even without any changes on the protected site.
 Project-URL: Homepage, https://git.zi.fi/LeoVasanko/paskia
 Project-URL: Repository, https://github.com/LeoVasanko/paskia